private string GetInformationUnicodeString(DriverInformationClass infoClass)
{
using (MemoryAlloc data = new MemoryAlloc(0x1000))
{
int retLength = 0;
try
{
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
catch (WindowsException)
{
data.ResizeNew(retLength);
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
return(data.ReadStruct <UnicodeString>().Read());
}
}
public T Read <T>() where T : struct
{
using (MemoryAlloc data = this.Read())
{
return(data.ReadStruct <T>());
}
}
public static string GetDeviceName(FileHandle fhandle)
{
using (MemoryAlloc data = new MemoryAlloc(600))
{
fhandle.IoControl(IoCtlQueryDeviceName, IntPtr.Zero, 0, data, data.Size);
MountDevName name = data.ReadStruct <MountDevName>();
return(data.ReadUnicodeString(MountDevName.NameOffset, name.NameLength / 2));
}
}
/// <summary>
/// Gets the service's configuration.
/// </summary>
public QueryServiceConfig GetConfig()
{
int requiredSize = 0;
Win32.QueryServiceConfig(this, IntPtr.Zero, 0, out requiredSize);
using (MemoryAlloc data = new MemoryAlloc(requiredSize))
{
if (!Win32.QueryServiceConfig(this, data, data.Size, out requiredSize))
{
Win32.ThrowLastError();
}
return(data.ReadStruct <QueryServiceConfig>());
}
}
/// <summary>
/// Gets the service's description.
/// </summary>
/// <returns>A string.</returns>
public string GetDescription()
{
int retLen;
Win32.QueryServiceConfig2(this, ServiceInfoLevel.Description, IntPtr.Zero, 0, out retLen);
using (MemoryAlloc data = new MemoryAlloc(retLen))
{
if (!Win32.QueryServiceConfig2(this, ServiceInfoLevel.Description, data, retLen, out retLen))
{
Win32.ThrowLastError();
}
return(data.ReadStruct <ServiceDescription>().Description);
}
}
/// <summary>
/// Gets the token's user.
/// </summary>
/// <returns>A WindowsSID instance.</returns>
public Sid GetUser()
{
int retLen;
Win32.GetTokenInformation(this, TokenInformationClass.TokenUser, IntPtr.Zero, 0, out retLen);
using (MemoryAlloc data = new MemoryAlloc(retLen))
{
if (!Win32.GetTokenInformation(this.Handle, TokenInformationClass.TokenUser, data,
data.Size, out retLen))
{
Win32.Throw();
}
TokenUser user = data.ReadStruct <TokenUser>();
return(new Sid(user.User.Sid, user.User.Attributes));
}
}
private T QueryStruct <T>(JobObjectInformationClass informationClass)
where T : struct
{
int retLength;
using (MemoryAlloc data = new MemoryAlloc(Marshal.SizeOf(typeof(T))))
{
if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
{
data.Resize(retLength);
if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
{
Win32.ThrowLastError();
}
}
return(data.ReadStruct <T>());
}
}
private static string GetReparsePointTarget(FileHandle fhandle)
{
using (MemoryAlloc data = new MemoryAlloc(FileSystem.MaximumReparseDataBufferSize))
{
fhandle.IoControl(FileSystem.FsCtlGetReparsePoint, IntPtr.Zero, 0, data, data.Size);
FileSystem.ReparseDataBuffer buffer = data.ReadStruct <FileSystem.ReparseDataBuffer>();
// Make sure it is in fact a mount point.
if (buffer.ReparseTag != (uint)IoReparseTag.MountPoint)
{
Win32.Throw(NtStatus.InvalidParameter);
}
return(data.ReadUnicodeString(
FileSystem.ReparseDataBuffer.MountPointPathBuffer + buffer.SubstituteNameOffset,
buffer.SubstituteNameLength / 2
));
}
}
public string GetLogFileName()
{
NtStatus status;
int retLength;
using (var data = new MemoryAlloc(0x1000))
{
status = Win32.NtQueryInformationTransactionManager(
this,
TmInformationClass.TransactionManagerLogPathInformation,
data,
data.Size,
out retLength
);
if (status == NtStatus.BufferTooSmall)
{
// Resize the buffer and try again.
data.ResizeNew(retLength);
status = Win32.NtQueryInformationTransactionManager(
this,
TmInformationClass.TransactionManagerLogPathInformation,
data,
data.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
Win32.Throw(status);
}
TmLogPathInformation logPathInfo = data.ReadStruct <TmLogPathInformation>();
return(data.ReadUnicodeString(TmLogPathInformation.LogPathOffset, logPathInfo.LogPathLength));
}
}
private T QueryStruct <T>(JobObjectInformationClass informationClass, int size) where T : struct
{
int retLength;
using (MemoryAlloc data = new MemoryAlloc(size))
{
bool ret = Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength);
int res = System.Runtime.InteropServices.Marshal.GetLastWin32Error();
if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
{
data.ResizeNew(retLength);
if (!Win32.QueryInformationJobObject(this, informationClass, data, data.Size, out retLength))
{
Win32.Throw();
}
}
return(data.ReadStruct <T>());
}
}
public int Peek(IntPtr buffer, int length, out int bytesAvailable, out int bytesLeftInMessage)
{
using (var data = new MemoryAlloc(FilePipePeekBuffer.DataOffset + length))
{
NtStatus status;
int returnLength;
status = this.FsControl(FsCtlPeek, IntPtr.Zero, 0, data, data.Size, out returnLength);
// If we got a buffer overflow it simply means we didn't
// read all of the available bytes.
if (status == NtStatus.BufferOverflow)
{
status = NtStatus.Success;
}
if (status >= NtStatus.Error)
{
Win32.Throw(status);
}
FilePipePeekBuffer info = data.ReadStruct <FilePipePeekBuffer>();
int bytesRead;
bytesAvailable = info.ReadDataAvailable;
bytesRead = returnLength - FilePipePeekBuffer.DataOffset;
bytesLeftInMessage = info.MessageLength - bytesRead;
if (buffer != IntPtr.Zero)
{
data.ReadMemory(buffer, 0, FilePipePeekBuffer.DataOffset, bytesRead);
}
return(bytesRead);
}
}
public int[] GetProcessIdList()
{
List <int> processIds = new List <int>();
int retLength;
// FIXME: Fixed buffer
using (MemoryAlloc data = new MemoryAlloc(0x1000))
{
if (!Win32.QueryInformationJobObject(this, JobObjectInformationClass.JobObjectBasicProcessIdList,
data, data.Size, out retLength))
{
Win32.ThrowLastError();
}
JobObjectBasicProcessIdList listInfo = data.ReadStruct <JobObjectBasicProcessIdList>();
for (int i = 0; i < listInfo.NumberOfProcessIdsInList; i++)
{
processIds.Add(data.ReadInt32(8, i));
}
}
return(processIds.ToArray());
}
public static MibUdpTableOwnerPid GetUdpTable()
{
MibUdpTableOwnerPid table = new MibUdpTableOwnerPid();
int length = 0;
GetExtendedUdpTable(IntPtr.Zero, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);
using (MemoryAlloc mem = new MemoryAlloc(length))
{
GetExtendedUdpTable(mem, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);
int count = mem.ReadInt32(0);
table.NumEntries = count;
table.Table = new MibUdpRowOwnerPid[count];
for (int i = 0; i < count; i++)
{
table.Table[i] = mem.ReadStruct <MibUdpRowOwnerPid>(sizeof(int), i);
}
}
return(table);
}
public void EnumObjects(EnumObjectsDelegate callback)
{
NtStatus status;
int context = 0;
bool firstTime = true;
int retLength;
using (var data = new MemoryAlloc(0x200))
{
while (true)
{
while ((status = Win32.NtQueryDirectoryObject(
this,
data,
data.Size,
false,
firstTime,
ref context,
out retLength
)) == NtStatus.MoreEntries)
{
// Check if we have at least one entry. If not,
// we need to double the buffer size and try again.
if (data.ReadStruct <ObjectDirectoryInformation>(0).Name.Buffer != IntPtr.Zero)
{
break;
}
if (data.Size > 16 * 1024 * 1024)
{
Win32.ThrowLastError(status);
}
data.Resize(data.Size * 2);
}
if (status >= NtStatus.Error)
{
Win32.ThrowLastError(status);
}
int i = 0;
while (true)
{
ObjectDirectoryInformation info = data.ReadStruct <ObjectDirectoryInformation>(i);
if (info.Name.Buffer == IntPtr.Zero)
{
break;
}
if (!callback(new ObjectEntry(info.Name.Read(), info.TypeName.Read())))
{
return;
}
i++;
}
if (status != NtStatus.MoreEntries)
{
break;
}
firstTime = false;
}
}
}
private string GetInformationUnicodeString(DriverInformationClass infoClass)
{
using (MemoryAlloc data = new MemoryAlloc(0x1000))
{
int retLength = 0;
//try
//{
// KProcessHacker.Instance.KphQueryInformationDriver(
// this,
// infoClass,
// data,
// data.Size,
// out retLength
// );
//}
//catch (WindowsException)
//{
// data.ResizeNew(retLength);
// KProcessHacker.Instance.KphQueryInformationDriver(
// this,
// infoClass,
// data,
// data.Size,
// out retLength
// );
//}
return data.ReadStruct<UnicodeString>().Text;
}
}
public static string GetVolumeName(string deviceName)
{
using (MemoryAlloc data = new MemoryAlloc(MountMgrMountPoint.SizeOf + deviceName.Length * 2))
{
MountMgrMountPoint mountPoint = new MountMgrMountPoint
{
DeviceNameLength = (ushort)(deviceName.Length * 2),
DeviceNameOffset = MountMgrMountPoint.SizeOf
};
data.WriteStruct(mountPoint);
data.WriteUnicodeString(mountPoint.DeviceNameOffset, deviceName);
using (var fhandle = OpenMountManager((FileAccess)StandardRights.Synchronize))
{
NtStatus status;
int retLength;
using (MemoryAlloc outData = new MemoryAlloc(0x100))
{
while (true)
{
status = fhandle.IoControl(
IoCtlQueryPoints,
data.Memory,
data.Size,
outData.Memory,
outData.Size,
out retLength
);
if (status == NtStatus.BufferOverflow)
{
outData.ResizeNew(Marshal.ReadInt32(outData.Memory)); // read Size field
continue;
}
else
{
break;
}
}
status.ThrowIf();
MountMgrMountPoints mountPoints = outData.ReadStruct <MountMgrMountPoints>();
// Go through the mount points given and return the first symbolic link that seems
// to be a volume name.
for (int i = 0; i < mountPoints.NumberOfMountPoints; i++)
{
MountMgrMountPoint mp = outData.ReadStruct <MountMgrMountPoint>(
MountMgrMountPoints.MountPointsOffset,
MountMgrMountPoint.SizeOf,
i
);
string symLinkName = Marshal.PtrToStringUni(
outData.Memory.Increment(mp.SymbolicLinkNameOffset),
mp.SymbolicLinkNameLength / 2
);
if (IsVolumePath(symLinkName))
{
return(symLinkName);
}
}
return(null);
}
}
}
}
public static MibUdpTableOwnerPid GetUdpTable()
{
MibUdpTableOwnerPid table = new MibUdpTableOwnerPid();
int length = 0;
GetExtendedUdpTable(IntPtr.Zero, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);
using (MemoryAlloc mem = new MemoryAlloc(length))
{
GetExtendedUdpTable(mem, ref length, false, AiFamily.INet, UdpTableClass.OwnerPid, 0);
int count = mem.ReadInt32(0);
table.NumEntries = count;
table.Table = new MibUdpRowOwnerPid[count];
for (int i = 0; i < count; i++)
table.Table[i] = mem.ReadStruct<MibUdpRowOwnerPid>(sizeof(int), i);
}
return table;
}
public static string GetVolumeName(string deviceName)
{
using (MemoryAlloc data = new MemoryAlloc(MountMgrMountPoint.SizeOf + deviceName.Length * 2))
{
MountMgrMountPoint mountPoint = new MountMgrMountPoint
{
DeviceNameLength = (ushort)(deviceName.Length*2),
DeviceNameOffset = MountMgrMountPoint.SizeOf
};
data.WriteStruct(mountPoint);
data.WriteUnicodeString(mountPoint.DeviceNameOffset, deviceName);
using (var fhandle = OpenMountManager((FileAccess)StandardRights.Synchronize))
{
NtStatus status;
int retLength;
using (MemoryAlloc outData = new MemoryAlloc(0x100))
{
while (true)
{
status = fhandle.IoControl(
IoCtlQueryPoints,
data.Memory,
data.Size,
outData.Memory,
outData.Size,
out retLength
);
if (status == NtStatus.BufferOverflow)
{
outData.ResizeNew(Marshal.ReadInt32(outData.Memory)); // read Size field
continue;
}
else
{
break;
}
}
status.ThrowIf();
MountMgrMountPoints mountPoints = outData.ReadStruct<MountMgrMountPoints>();
// Go through the mount points given and return the first symbolic link that seems
// to be a volume name.
for (int i = 0; i < mountPoints.NumberOfMountPoints; i++)
{
MountMgrMountPoint mp = outData.ReadStruct<MountMgrMountPoint>(
MountMgrMountPoints.MountPointsOffset,
MountMgrMountPoint.SizeOf,
i
);
string symLinkName = Marshal.PtrToStringUni(
outData.Memory.Increment(mp.SymbolicLinkNameOffset),
mp.SymbolicLinkNameLength / 2
);
if (IsVolumePath(symLinkName))
return symLinkName;
}
return null;
}
}
}
}
public string GetSymbolFromAddress(ulong address, out SymbolResolveLevel level, out SymbolFlags flags, out string fileName, out string symbolName, out ulong displacement)
{
// Assume failure (and stop the compiler from complaining).
if (address == 0)
{
level = SymbolResolveLevel.Invalid;
flags = 0;
fileName = null;
}
// Allocate some memory for the symbol information.
using (var data = new MemoryAlloc(Marshal.SizeOf(typeof(SymbolInfo)) + _maxNameLen))
{
var info = new SymbolInfo();
info.SizeOfStruct = Marshal.SizeOf(info);
info.MaxNameLen = _maxNameLen - 1;
Marshal.StructureToPtr(info, data, false);
// Hack for drivers, since we don't get their module sizes.
// Preloading modules will fix this.
if (this.PreloadModules)
{
ulong b;
this.GetModuleFromAddress(address, out b);
using (Win32.DbgHelpLock.AcquireContext())
Win32.SymFromAddr(_handle, b, out displacement, data);
Marshal.StructureToPtr(info, data, false);
}
// Get the symbol name.
using (Win32.DbgHelpLock.AcquireContext())
{
if (Win32.SymFromAddr(_handle, address, out displacement, data))
{
info = data.ReadStruct<SymbolInfo>();
}
}
string modFileName;
ulong modBase;
// Get the module name.
if (info.ModBase == 0)
{
modFileName = this.GetModuleFromAddress(address, out modBase);
}
else
{
modBase = info.ModBase;
lock (_modules)
modFileName = _modules.Find(kvp => kvp.Key == info.ModBase).Value;
}
// If we don't have a module name, return an address.
if (modFileName == null)
{
level = SymbolResolveLevel.Address;
flags = 0;
fileName = null;
symbolName = null;
return Utils.FormatAddress(address);
}
FileInfo fi = null;
fileName = modFileName;
try
{
fi = new FileInfo(modFileName);
fileName = fi.FullName;
}
catch
{ }
// If we have a module name but not a symbol name,
// return a module plus an offset: module+offset.
if (info.NameLen == 0)
{
level = SymbolResolveLevel.Module;
flags = 0;
symbolName = null;
if (fi != null)
{
return fi.Name + "+0x" + (address - modBase).ToString("x");
}
else
{
var s = modFileName.Split('\\');
return s[s.Length - 1] + "+0x" + (address - modBase).ToString("x");
}
}
// If we have everything, return the full symbol name: module!symbol+offset.
string name = data.ReadAnsiString(SymbolInfo.NameOffset, info.NameLen);
level = SymbolResolveLevel.Function;
flags = info.Flags;
symbolName = name;
if (displacement == 0)
return fi.Name + "!" + name;
else
return fi.Name + "!" + name + "+0x" + displacement.ToString("x");
}
}
public int Peek(IntPtr buffer, int length, out int bytesAvailable, out int bytesLeftInMessage)
{
using (var data = new MemoryAlloc(FilePipePeekBuffer.DataOffset + length))
{
NtStatus status;
int returnLength;
status = this.FsControl(FsCtlPeek, IntPtr.Zero, 0, data, data.Size, out returnLength);
// If we got a buffer overflow it simply means we didn't
// read all of the available bytes.
if (status == NtStatus.BufferOverflow)
status = NtStatus.Success;
if (status >= NtStatus.Error)
Win32.ThrowLastError(status);
FilePipePeekBuffer info = data.ReadStruct<FilePipePeekBuffer>();
int bytesRead;
bytesAvailable = info.ReadDataAvailable;
bytesRead = returnLength - FilePipePeekBuffer.DataOffset;
bytesLeftInMessage = info.MessageLength - bytesRead;
if (buffer != IntPtr.Zero)
data.ReadMemory(buffer, 0, FilePipePeekBuffer.DataOffset, bytesRead);
return bytesRead;
}
}
public static string GetDeviceName(FileHandle fhandle)
{
using (MemoryAlloc data = new MemoryAlloc(600))
{
fhandle.IoControl(IoCtlQueryDeviceName, IntPtr.Zero, 0, data, data.Size);
MountDevName name = data.ReadStruct<MountDevName>();
return data.ReadUnicodeString(MountDevName.NameOffset, name.NameLength / 2);
}
}
public string GetSymbolFromAddress(ulong address, out SymbolResolveLevel level, out SymbolFlags flags, out string fileName, out string symbolName, out ulong displacement)
{
// Assume failure (and stop the compiler from complaining).
if (address == 0)
{
level = SymbolResolveLevel.Invalid;
flags = 0;
fileName = null;
}
// Allocate some memory for the symbol information.
using (var data = new MemoryAlloc(Marshal.SizeOf(typeof(SymbolInfo)) + _maxNameLen))
{
var info = new SymbolInfo();
info.SizeOfStruct = Marshal.SizeOf(info);
info.MaxNameLen = _maxNameLen - 1;
Marshal.StructureToPtr(info, data, false);
// Hack for drivers, since we don't get their module sizes.
// Preloading modules will fix this.
if (this.PreloadModules)
{
ulong b;
this.GetModuleFromAddress(address, out b);
using (Win32.DbgHelpLock.AcquireContext())
Win32.SymFromAddr(_handle, b, out displacement, data);
Marshal.StructureToPtr(info, data, false);
}
// Get the symbol name.
using (Win32.DbgHelpLock.AcquireContext())
{
if (Win32.SymFromAddr(_handle, address, out displacement, data))
{
info = data.ReadStruct <SymbolInfo>();
}
}
string modFileName;
ulong modBase;
// Get the module name.
if (info.ModBase == 0)
{
modFileName = this.GetModuleFromAddress(address, out modBase);
}
else
{
modBase = info.ModBase;
lock (_modules)
modFileName = _modules.Find(kvp => kvp.Key == info.ModBase).Value;
}
// If we don't have a module name, return an address.
if (modFileName == null)
{
level = SymbolResolveLevel.Address;
flags = 0;
fileName = null;
symbolName = null;
return(Utils.FormatAddress(address));
}
FileInfo fi = null;
fileName = modFileName;
try
{
fi = new FileInfo(modFileName);
fileName = fi.FullName;
}
catch
{ }
// If we have a module name but not a symbol name,
// return a module plus an offset: module+offset.
if (info.NameLen == 0)
{
level = SymbolResolveLevel.Module;
flags = 0;
symbolName = null;
if (fi != null)
{
return(fi.Name + "+0x" + (address - modBase).ToString("x"));
}
else
{
var s = modFileName.Split('\\');
return(s[s.Length - 1] + "+0x" + (address - modBase).ToString("x"));
}
}
// If we have everything, return the full symbol name: module!symbol+offset.
string name = data.ReadAnsiString(SymbolInfo.NameOffset, info.NameLen);
level = SymbolResolveLevel.Function;
flags = info.Flags;
symbolName = name;
if (displacement == 0)
{
return(fi.Name + "!" + name);
}
else
{
return(fi.Name + "!" + name + "+0x" + displacement.ToString("x"));
}
}
}
private static string GetReparsePointTarget(FileHandle fhandle)
{
using (MemoryAlloc data = new MemoryAlloc(FileSystem.MaximumReparseDataBufferSize))
{
fhandle.IoControl(FileSystem.FsCtlGetReparsePoint, IntPtr.Zero, 0, data, data.Size);
FileSystem.ReparseDataBuffer buffer = data.ReadStruct<FileSystem.ReparseDataBuffer>();
// Make sure it is in fact a mount point.
if (buffer.ReparseTag != (uint)IoReparseTag.MountPoint)
Win32.Throw(NtStatus.InvalidParameter);
return data.ReadUnicodeString(
FileSystem.ReparseDataBuffer.MountPointPathBuffer + buffer.SubstituteNameOffset,
buffer.SubstituteNameLength / 2
);
}
}
private string GetInformationUnicodeString(DriverInformationClass infoClass)
{
using (MemoryAlloc data = new MemoryAlloc(0x1000))
{
int retLength = 0;
try
{
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
catch (WindowsException)
{
data.ResizeNew(retLength);
KProcessHacker.Instance.KphQueryInformationDriver(
this,
infoClass,
data,
data.Size,
out retLength
);
}
return data.ReadStruct<UnicodeString>().Read();
}
}
public string GetSymbolFromAddress(ulong address, out SymbolResolveLevel level, out SymbolFlags flags, out string fileName, out string symbolName, out ulong displacement)
{
if (address == 0)
{
level = SymbolResolveLevel.Invalid;
flags = 0;
fileName = null;
}
using (var data = new MemoryAlloc(Marshal.SizeOf(typeof(SymbolInfo)) + _maxNameLen))
{
var info = new SymbolInfo();
info.SizeOfStruct = Marshal.SizeOf(info);
info.MaxNameLen = _maxNameLen - 1;
Marshal.StructureToPtr(info, data, false);
if (this.PreloadModules)
{
ulong b;
this.GetModuleFromAddress(address, out b);
using (Win32.DbgHelpLock.AcquireContext())
Win32.SymFromAddr(_handle, b, out displacement, data);
Marshal.StructureToPtr(info, data, false);
}
using (Win32.DbgHelpLock.AcquireContext())
{
if (Win32.SymFromAddr(_handle, address, out displacement, data))
{
info = data.ReadStruct<SymbolInfo>();
}
}
string modFileName;
ulong modBase;
if (info.ModBase == 0)
{
modFileName = this.GetModuleFromAddress(address, out modBase);
}
else
{
modBase = info.ModBase;
lock (_modules)
modFileName = _modules.Find(kvp => kvp.Key == info.ModBase).Value;
}
if (modFileName == null)
{
level = SymbolResolveLevel.Address;
flags = 0;
fileName = null;
symbolName = null;
return Utils.FormatAddress(address);
}
FileInfo fi = null;
fileName = modFileName;
try
{
fi = new FileInfo(modFileName);
fileName = fi.FullName;
}
catch
{ }
if (info.NameLen == 0)
{
level = SymbolResolveLevel.Module;
flags = 0;
symbolName = null;
if (fi != null)
{
return fi.Name + "+0x" + (address - modBase).ToString("x");
}
else
{
var s = modFileName.Split('\\');
return s[s.Length - 1] + "+0x" + (address - modBase).ToString("x");
}
}
string name = Marshal.PtrToStringAnsi(data.Memory.Increment(Win32.SymbolInfoNameOffset), info.NameLen);
level = SymbolResolveLevel.Function;
flags = info.Flags;
symbolName = name;
if (displacement == 0)
return fi.Name + "!" + name;
else
return fi.Name + "!" + name + "+0x" + displacement.ToString("x");
}
}
